You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@chukwa.apache.org by "Eric Yang (Resolved) (JIRA)" <ji...@apache.org> on 2011/12/14 22:01:31 UTC
[jira] [Resolved] (CHUKWA-619) Disable Trace Method on Collector's
Port
[ https://issues.apache.org/jira/browse/CHUKWA-619?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Eric Yang resolved CHUKWA-619.
------------------------------
Resolution: Fixed
Release Note: Disabled trace method on Chukwa servlets. (Julio Conca via Eric Yang)
I just committed this to trunk. Thanks Julio.
> Disable Trace Method on Collector's Port
> ----------------------------------------
>
> Key: CHUKWA-619
> URL: https://issues.apache.org/jira/browse/CHUKWA-619
> Project: Chukwa
> Issue Type: Wish
> Components: data collection
> Affects Versions: 0.4.0
> Environment: Debian 5.0, Hadoop 0.20
> Reporter: Julio Conca
> Priority: Trivial
> Fix For: 0.5.0
>
>
> After a safety auditory of our client. He notified us the next vulnerability at port 8081 (Collector port).
> HTTP TRACE / TRACK Methods Allowed
> I think this is a good documentation over the vulnerability.
> http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf.
> We add the following code to all the collector's servlets to solve the problem.
> protected void doTrace(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
> resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
> }
> The collector's servlets we fixed are.
> org.apache.hadoop.chukwa.datacollection.collector.servlet.CommitCheckServlet
> org.apache.hadoop.chukwa.datacollection.collector.servlet.LogDisplayServlet
> org.apache.hadoop.chukwa.datacollection.collector.servlet.ServletCollector
> Another solution could be to extend from jetty's DefaultServlet, but we didn't try. Our solution is good enough for us.
> Regards.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira